KQL Search

Query Details

HomeAI ToolsDevice Query

External Application High Priv Permissions

Query

# List external applications with highly privileged permissions

## Query Information

#### Description
The query below lists the external applications with highly privileged permissions. It is highly recommended to periodicly review the high priviliged external applications.

#### Risk
A third party application can be abused to steal information from your organization.

## Defender XDR
```KQL
OAuthAppInfo
| where AppOrigin == "External"
| where PrivilegeLevel == "High"
| summarize arg_max(Timestamp, *) by OAuthAppId
| extend PublisherName = tostring(VerifiedPublisher.displayName), DateAdded = todatetime(VerifiedPublisher.addedDateTime)
| project AppName, OAuthAppId, ServicePrincipalId, AddedOnTime, PublisherName, AppOwnerTenantId
```

## Sentinel
```KQL
OAuthAppInfo
| where AppOrigin == "External"
| where PrivilegeLevel == "High"
| summarize arg_max(TimeGenerated, *) by OAuthAppId
| extend PublisherName = tostring(VerifiedPublisher.displayName), DateAdded = todatetime(VerifiedPublisher.addedDateTime)
| project AppName, OAuthAppId, ServicePrincipalId, AddedOnTime, PublisherName, AppOwnerTenantId
```

Explanation

The provided KQL queries are designed to identify and list external applications that have been granted high-level permissions within an organization's environment. These applications are considered high-risk because they have significant access privileges, which could potentially be exploited by third parties to access or steal sensitive information from the organization.

Here's a simplified breakdown of what each part of the query does:

  1. Data Source: The queries pull data from a table called OAuthAppInfo, which contains information about OAuth applications.

  2. Filter Criteria:

    • The queries filter for applications where AppOrigin is "External", meaning the applications are not developed internally by the organization.
    • They further filter for applications with a PrivilegeLevel of "High", indicating these applications have significant access rights.

  3. Data Aggregation:

    • The summarize arg_max() function is used to group the data by OAuthAppId, ensuring that only the most recent entry for each application is considered based on the timestamp (Timestamp in Defender XDR and TimeGenerated in Sentinel).

  4. Data Transformation:

    • The extend function is used to add additional information about the application's publisher, such as the publisher's name and the date the publisher was verified.

  5. Data Projection:

    • Finally, the project function selects specific columns to display in the output: the application's name (AppName), its unique identifier (OAuthAppId), the service principal ID (ServicePrincipalId), the time it was added (AddedOnTime), the publisher's name (PublisherName), and the tenant ID of the application's owner (AppOwnerTenantId).

Overall, the queries are intended to help security teams regularly review and monitor external applications with high privileges to mitigate potential security risks.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: April 14, 2025

Tables

OAuthAppInfo

Keywords

OAuthAppInfoAppOriginPrivilegeLevelTimestampOAuthAppIdPublisherNameDateAddedAppNameServicePrincipalIdAddedOnTimeAppOwnerTenantIdTimeGenerated

Operators

wheresummarizearg_maxextendtostringtodatetimeproject

Actions